throw new FbX($ccms['lang']['auth']['featnotallowed']);
}
} catch (CcmsAjaxFbException $e) {
$e->croak();
}
exit;
}
/**
*
* Add comment
*
*/
if ($_SERVER['REQUEST_METHOD'] == 'POST' && $do_action == 'add-comment' && $_POST['verification'] == $_SESSION['ccms_captcha'] && !empty($_SESSION['ccms_captcha'])) {
$error = '';
$commentName = getPOSTparam4DisplayHTML('name');
$commentEmail = getPOSTparam4Email('email');
$commentUrl = getPOSTparam4URL('website');
$commentRating = getPOSTparam4Number('rating', 3);
$commentContent = getPOSTparam4DisplayHTML('comment');
// no need for strip_tags here: 4DisplayHTML already encodes anything that might be dangerous in HTML entities so they show but don't hurt
$commentHost = $_SERVER['REMOTE_ADDR'];
if (!empty($commentName) && !empty($commentEmail) && !empty($commentRating) && !empty($commentContent) && !empty($commentHost)) {
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values['page_id'] = MySQL::SQLValue($page_id, MySQL::SQLVALUE_NUMBER);
$values['commentName'] = MySQL::SQLValue($commentName, MySQL::SQLVALUE_TEXT);
$values['commentEmail'] = MySQL::SQLValue($commentEmail, MySQL::SQLVALUE_TEXT);
$values['commentUrl'] = MySQL::SQLValue($commentUrl, MySQL::SQLVALUE_TEXT);
$values['commentRate'] = MySQL::SQLValue($commentRating, MySQL::SQLVALUE_ENUMERATE);
// 'note the 'tricky' comment in the MySQL::SQLValue() member: we MUST have quotes around this number as mySQL enums are quoted :-(
$values['commentContent'] = MySQL::SQLValue($commentContent, MySQL::SQLVALUE_TEXT);
} catch (CcmsAjaxFbException $e) {
$e->croak();
}
}
/**
*
* Edit user details as posted by an authorized user
*
*/
if ($do_action == 'edit-user-details' && $_SERVER['REQUEST_METHOD'] == 'POST' && checkAuth()) {
FbX::SetFeedbackLocation('user-management.Manage.php');
try {
$userID = getPOSTparam4Number('userID');
$userFirst = getPOSTparam4HumanName('first');
$userLast = getPOSTparam4HumanName('last');
$userEmail = getPOSTparam4Email('email');
// Only if current user has the rights
if ($perm->is_level_okay('manageUsers', $_SESSION['ccms_userLevel']) || $_SESSION['ccms_userID'] == $userID) {
// Check length of values
if (strlen($userFirst) >= 1 && strlen($userLast) >= 1 && strlen($userEmail) > 6) {
$values = array();
// [i_a] make sure $values is an empty array to start with here
$values['userFirst'] = MySQL::SQLValue($userFirst, MySQL::SQLVALUE_TEXT);
$values['userLast'] = MySQL::SQLValue($userLast, MySQL::SQLVALUE_TEXT);
$values['userEmail'] = MySQL::SQLValue($userEmail, MySQL::SQLVALUE_TEXT);
if ($db->UpdateRow($cfg['db_prefix'] . 'users', $values, array("userID" => MySQL::SQLValue($userID, MySQL::SQLVALUE_NUMBER)))) {
if ($userID == $_SESSION['ccms_userID']) {
$_SESSION['ccms_userFirst'] = $userFirst;
// getPOSTparam4HumanName already does the htmlentities() encoding, so we're safe to use & display these values as they are now.
$_SESSION['ccms_userLast'] = $userLast;
}
Of course both anti-spam approaches may be used simultaneously in order to
improve our chances of rejecting spam.
No matter what, the POSTed values are all filtered before we access them, so
the only remaining 'risk' is that someone pre-fills the form for a user, who
then needs to enter the captcha or at least hit the submit button.
Thanks to the filtering, the POSTed content won't be able to aid in XSS attacks,
no matter what is happening.
*/
$subject = getPOSTparam4EmailSubjectLine('subject');
$message = getPOSTparam4EmailBody('message');
$sender = getPOSTparam4HumanName('name');
$emailaddress = getPOSTparam4Email('abcdef');
// If the action type is equal to send, then continue
if ($action_type == 'send' && $_SERVER['REQUEST_METHOD'] == 'POST') {
$is_form_post = true;
// make sure it's a valid action:
if ((USE_CAPTCHA_AGAINST_SPAM ? POST2str('verification', 'x') == SESSION2str('ccms_captcha', 'y') : true) && (USE_HONEYTRAP_AGAINST_SPAM ? POST2str('email', '') == '' && POST2str('darling_jar', 'x') == SESSION2str('ccms_contactform_honeypot', 'y') : true)) {
if (empty($emailaddress) || strcspn($emailaddress, '<"\'') != strlen($emailaddress)) {
// email filter allows quoted prefix before the '<' ; we DO NOT as we have both parts separated here...
$error = 'You specified an invalid email address';
} else {
if (empty($sender) || strpos($sender, '"') !== false) {
// ... nor do we allow a double-quote inside the 'human name' preceeding part of the address.
$error = 'You specified an invalid email sender name';
} else {
if (!empty($sender) && !empty($emailaddress) && !empty($subject) && !empty($message)) {
/*
